The hj is the vulnerable variable, it specifies the file to download by passing the file name in an encrypted fashion.

Any encrypted string passed in via hj would be decrypted and would be part of the file download prompt. This allowed RedShark1802 to passing arbitrary strings like "aaaaaaaaaa" and obverse the response to come up with the proper attack string. A vulnerability like this is called an Oracle as it gives you an opportunity to make the encryption moot.